Flash plugin records visited web sites

Bug #162045 reported by Jennifer on 2007-11-11
6
Affects Status Importance Assigned to Milestone
flashplugin-nonfree (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: flashplugin-nonfree

I have all the privacy settings turned on in firefox. Imagine my surprise when I did a search through my home directory and found many subdirectories containing the names of URL's I had visited. They are all under a subdirectory called ".macromedia". This information is maintained across multiple invocations of firefox. The only way to get rid of this recording process is to create a soft link such as.

rm -rf .macromedia
ln -s /dev/null .macromedia

Flash continues to work with this soft link in place, making me wonder the original intent for this subdirectory in the first place.

Update: there is an extension for Firefox that does this:
<http://www.yardley.ca/objection/>

"What is 'objection'?

objection is an extension for Firefox that adds deletion of Local Shared Objects
to the Option > Privacy panel."

It would be nice for this feature to be integrated into firefox.

that page made it clear that this is handled entirely in the plugin. thus, it is
completely out of the scope of the networking library. -> ffox frontend

(Hm... comment 0 says you are using mozilla, not firefox?)

 Christian Biesinger (:bi) wrote:

> (Hm... comment 0 says you are using mozilla, not firefox?)

I'm from the Flashblock team so I use both for testing. I opened this bug
because someone in the flashblock mailing list asked us to block flash cookies
as well. I thought that this was more appropriate as part of firefox/seamonkey
instead of an extension - then several minutes later I find the "objection"
extension while looking for something else.

Grrr. The author of objection totally replaces PrivacyPanel.clearAll() instead
of handing off to the original after processing the LSOs.

*** Bug 298825 has been marked as a duplicate of this bug. ***

I don't see a dupe of this bug, marking as new.

*** Bug 383320 has been marked as a duplicate of this bug. ***

*** Bug 399724 has been marked as a duplicate of this bug. ***

Jennifer (jennifer86787) wrote :

Binary package hint: flashplugin-nonfree

I have all the privacy settings turned on in firefox. Imagine my surprise when I did a search through my home directory and found many subdirectories containing the names of URL's I had visited. They are all under a subdirectory called ".macromedia". This information is maintained across multiple invocations of firefox. The only way to get rid of this recording process is to create a soft link such as.

rm -rf .macromedia
ln -s /dev/null .macromedia

Flash continues to work with this soft link in place, making me wonder the original intent for this subdirectory in the first place.

*** Bug 400934 has been marked as a duplicate of this bug. ***

*** Bug 414478 has been marked as a duplicate of this bug. ***

There is no patch. And even if there were, it would have i18n impact. I think it's too late in this cycle to block.

Updated link to the Objection extension (Delete Flash Local Shared Objects):
http://objection.mozdev.org/

crf (chrisfahlman) wrote :

It is to store flash information files. I guess like cookies. They are probably harmless, but are not sanitisable in firefox. http://en.wikipedia.org/wiki/Local_Shared_Object

The problem affects windows as well.

On windows however, one can set options on the flash plugin to not store files, and these options are not available on the macromedia linux flash plugin.
http://kb.adobe.com/selfservice/viewContent.do?externalId=52697ee8&sliceId=1

There are bugs in mozilla -->
https://bugzilla.mozilla.org/show_bug.cgi?id=290456
https://bugzilla.mozilla.org/show_bug.cgi?id=400934
--

Changed in flashplugin-nonfree:
status: New → Confirmed
crf (chrisfahlman) wrote :

There is a flash program on macromedia's site that adjusts the flash player settings
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

The settings file it interacts with online, is I think, this one:
~/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/settings.sol

It seems to work, but it still DOES NOT stop files and directories being created from sites you visit.

Not blocking, far too late for changes of this type.

In , Asa (asa) wrote :

Surely there are other plugins that store private data. Shouldn't we simply have a "Plug-in data" checkbox in the Clear Private Data... window? Why clear just cookies and leave other private data on disk?

Is there a universal "clear plugin private data" API or does each plugin do things differently? If the latter I don't see how it would be practical to build in awareness of any and all plugin data handling not just for currently existing plugins but for any hypothetical future plugins from some obscure developer in Upper Moldavia.

In , Asa (asa) wrote :

There doesn't have to be a consistent API for Firefox to do its best for the common ones, Flash, Java, QuickTime, WMP, Acrobat and a few others.

(In reply to comment 15)
> There doesn't have to be a consistent API for Firefox to do its best for the
> common ones, Flash, Java, QuickTime, WMP, Acrobat and a few others.

In that case I suggest that having a "Plug-in data" checkbox in the Clear Private Data dialog would give a wrong impression, not to mention a false sense of security to the average mom'n'pop user who doesn't realise that this only clears data from popular plugins. Unless of course you change it to a "Some Plug-in data" checkbox.

In , Asa (asa) wrote :

Philip, no more misleading than our current "clear cookies" or "clear offline website data" (and probably others) neither of which are cleared in certain plugin cases. You're making perfect the enemy of good here. We can probably never get everything and we can't be 100% accurate in our labeling without making the dialog unusable.

> You're making perfect the enemy of good here.

Asa, normally I'd agree with you (i.e get something working first, worry about perfection later), but one of our "selling points" is that Firefox does security better than that other browser so I want to be more cautious when it comes to this type of issue. But I'll defer to the security and UI people who know more about these sort of things.

*** Bug 471331 has been marked as a duplicate of this bug. ***

Hi just wanted to let y'all know, the objection plugin is not compatible with 3.5. Thus the workaround no longer works.

https://addons.mozilla.org/en-US/firefox/addon/6623

BetterPrivacy 1.29
Works with Firefox: 2.0 – 3.6a1pre

Hi,

we (Adobe) are planning on supporting private browsing in Firefox and other browsers in a forthcoming Flash Player release.

additionally, we would welcome an NPAPI addition that would be called when a user wants to clear their private data. this is in our future plans also, but would likely happen a lot faster if this was implemented by Mozilla, rather than us having to write the patch for it ourselves.

also PLEASE do not try to clear LSO's in the browser code - imo this is something that should be handled by plugins themselves via an NPAPI addition.

Ian

Does Adobe have somewhere where interested people can contribute to discussion on the implementation? There are some, in my opinion, very complex issues that Adobe will have to overcome.

I have been looking at implementing Private Browsing mode support into Objection and the only solutions I came up with could create big problems for the user.

Linux users or extension developers may wish to know that the popular swfdec plugin stores site information in the file ~/.config/swfdec-mozilla (or similar).

Ian -

With Private Browsing, it looks like Adobe has decided to ask the browser if it is in Private Browsing and choose its mode based on that, correct?

Also, I don't see anything in https://bugs.adobe.com for allowing the browser to tell Flash what to clear.

All -

If this bug was specifically for Firefox Private Browsing, then I'd say it is resolved and a separate bug is needed for regular browsing.

Can this bug be closed, then?

Changed in flashplugin-nonfree (Ubuntu):
status: Confirmed → Incomplete
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.